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Abstract. The block cipher KASUMI is widely used for security in many synchronous wireless 
standards. It was proposed by ETSI SAGE for usage in 3GPP (3rd Generation Partnership Project) 
ciphering algorthms in 2001. There are a great deal of cryptanalytic results on KASUMI, however, 
its security evaluation against the recent zero-correlation linear attacks is still lacking so far. In 
this paper, we select some special input masks to refine the general 5-round zero-correlation linear 
approximations combining with some observations on the FL functions and then propose the 6- 
round zero-correlation linear attack on KASUMI. Moreover, zero-correlation linear attacks on the 
last 7- round KASUMI are also introduced under some weak keys conditions. These weak keys take 
more than half of the whole key space. 

The new zero-correlation linear attack on the 6-round needs about 2 107 8 encryptions with 2 59 ' 4 
known plaintexts. For the attack under weak keys conditions on the last 7 round, the data complexity 
is about 2 62 1 known plaintexts and the time complexity 2 125 2 encryptions. 

Keywords: KASUMI, Zero-correlation linear cryptanalysis, Cryptography. 
1 Introduction 

With the rapid growth of wireless services, various security algorithms have been developed 
to provide users with effective and secure communications. The KASUMI developed from 
a previous block cipher known as MISTY1[10], which was chosen as the foundation for the 
3GPP confidentiality and integrity algorithm [14]. Nowadays, it is widely used in UMTS, 
GSM and GPRS mobile communications. KASUMI adopts the basic Feistel structure and 
has eight rounds. It accepts a 64-bit block and a 128-bit key. 

Up to now, a great deal of attention was paid to KASUMI and many cryptanalytic methods 
were used to evaluate its security, such as differential crypt analysis [6], integral-interpolation 
attack[ll], higher order differential attack[12] [13], sandwich attack[7] and impossible dif- 
ferential attack[8]. In the past years, higher order differential attack[12] [13]and integral- 
interpolation attack[5] were applied to analyze variants of KASUMI. Kuhn [9] presented an 
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Attack Type Rounds Date Time Source 



Higher-Order Differential 


5 


2 22 1 CP 


2 60 - 7 Enc 


[6] 


Higher-Order Differential 


5 


2 28.9 C p 


2 312 Enc 


[7] 


Integral-Interpolation 


6 


2 48 CP 


2 i26.2 Enc 


[5] 


Impossible Differential 


6 


2 55 CP 


2 100 Enc 


[9] 


Multidimensional Zero-Correlation 


6 


2 59.4 K p 


2 i()7.s Enc 


Sect. [4] 


Impossible Differential 


7 


2 52.5 C p 


2 114.3 Enc 


[14] 


Impossible Differential 


7 


2 62 CP 


2 115.8 Enc 


[14] 


Multidimensional Zero-Correlation 


7 


2 62.1 K p 


2 125.2 Enc 


Sect. [5] 



CP refers to the number of chosen plaintexts. 
KP refers to the number of known plaintexts. 
Erie refers to the number of encryptions. 



Table 1: The key schedule of KASUMI 



impossible differential attack on a 6-round version at EuroCrypt 2001. Later, Jia et al[8] 
refined the impossible differential by selecting some special input differential values and ex- 
tended the 12-years old impossible differential attack on 6-round KASUMI to 7 rounds at 
SAC 2013. In the related-key setting, attacks on full 8-round [5] KASUMI were presented 
using related-key booming and rectangle attack and the complexes are about 2 78 7 and 2 76 - 1 
encryptions, respectively. At Crypto 2010, a new strategy called sandwich attacks [7] belong- 
ing to a formal extension of booming attacks on the full KASUMI was obtained. 

Bogdanov and Rijmen[l] proposed zero-correlation linear crypt analysis. It is a novel 
promising attack technique for block ciphers and has its theoretical foundation in the avail- 
ability of numerous key-independent unbiased linear approximations with correlation zero for 
many ciphers. However, the initial distinguisher of [1] had some limitations in terms of data 
complexity, which needs at least half of the codebook. In FSE 2012, Bogdanov and Wang [2] 
proposed a more data-efficient distinguisher by making use of multiple linear approximations 
with correlation zero. The date complexity is reduced, however, the distinguisher relies on 
the assumption that all linear approximations with correlation zero are independent. At Asi- 
aCrypt 2012 [3], a multidimensional distinguisher has been constructed for the zero-correlation 
property, which removed the unnecessary independency assumptions on the distinguishing 
side. Recently, multidimensional zero-correlation linear cryptanalysis has been using in the 
attack of block cipher CAST-256[3], CLEFIA[4], HIGHT[15] and E2[16] successfully. 

In this paper, we evaluate the security of KASUMI with respect to the recent technique 
of zero-correlation linear cryptanalysis. Our contributions can be summarized as follows. 

1. We reveal some 5-round linear approximations of correlation zero in KASUMI. For the 
zero-correlation linear approximations of 5-round KASUMI: (a, 0) 5 r ^ nd 0), if we take all 
non-zero values for a, then there are so many guessed subkey bits involved in the key recovery 
process that the time complexity will be greater than exhaustive search. Therefore, in order 
to reduce the number of guessed subkey bits, we only use some special linear approximations. 
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Based on some observations on FL function, we give some conditions the special linear 
approximations should satisfy. 

2. We propose a multidimensional zero-correlation linear attack on 6-round of KASUMI. 
To my knowledge, there are no linear attacks on KASUMI so far and we bridge this gap, if 
we treat the zero-correlation linear attack as a special case of linear attacks. 

3. We provide a key-recovery attack on 7-round KASUMI (round 2 to round 8) under some 
weak key conditions. We assume that the second keys of FL function in round 2 and round 
8 have the some value in at least 8 bit positions. The purpose is to make a balance between 
selecting out enough linear approximations and more master key satisfying the assumption. 

The paper is organized as follows. We give a brief description of the block cipher KASUMI 
and outlines the ideas of multidimensional zero-correlation linear cryptanalysis in Section 2. 
Some observations on FL function are shown in Section 3. Section 4 and Section 5 illustrate 
our attacks on 6-round and the last 7-round KASUMI. We conclude in Section 6. 

2 Preliminarise 

2.1 Description of KASUMI 

The KASUMI algorithms [14] are symmetric block ciphers with a block size of 64 bits and a 
key size of 128 bit. We give a brief description of KASUMI in this section. 

KASUMI is a Feistel structure with 8 round, see Fig. 1 (a) for an illustration. The round 
function consists of an FL function and an FO function. The FL function is a simple key- 
dependent boolean function, depicted in Fig. 1 (c). Let the inputs of the FL function of the 
i-th round be XLi = XLn\\XLi r , KLi = (KL^i, KLi^), the output be YLi = YLn\\YLi r , 
where X Lij,X Li >r ,Y L^ i and YLi )T are 16-bit integers. We define the FL function as follows: 

YL i)T = ((XL it i n KL iA ) «< 1) © XL i>r , 

YLi i = ((YL i:r U KL h2 ) «< 1) © XL iJL , 

where n and U denote bitwise AND and OR respectively, x»i implies that x rotates left 
by i bits, © denotes the bitwise exclusive-or (XOR), || represents the concatenation, and FLi 
denote the FL function of i-th round with subkey KL{. 

The FO function is depicted in Fig. 1 (b), which is another three-round Feistel structure 
consisting of three FI functions and key mixing stages. Let XO{ = XOj j||XOj r , KOi = 
(KO i;1 ,KOi,2,KOi, 3 ), Kk = (KI iA ,KIi !2 ,KI it3 ) be the inputs of the FO function of i-th 
round, and YO{ = YOij\\YOi tT be the corresponding output, where XOij,XOi :r ,YOi i,YO^ r 
and XIi : s are 16-bit integers. Then the FO function has the form 

XI~ 3 = FI{{XO h i © KO iA ), KI iA ) © XO l>r , 



YOi,i = FI((XOi, r © KOi,2),KIi,2) © Xh, 3 , 
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Algorithm 1 The KASUMI block cipher 

Require: 64-bit plaintext P = (Lo,Ro); main key K, 
Ensure: 64-bit ciphertext C = (Lg,Rs). 

1: Derive round keys KOi, Kli and KLi (1 < i < 8) from K. 
2: for j = 1 to 8 do 
3: if j is odd, do 

4: Lj = FO{FL{L j _ 1 ,KL j ),KO j ,KI :j ) 0 Rj-i,Rj = Lj-i, 
5: else, do : 

6: Lj = FL(FO(Lj-!, KOj, Klj), KLj) © ^ = Lj_i. 

7: end for 

8: return C = (L S ,R$). 



YO i!r = Fi((xi i:3 © tfo ii3 ), ^7 i)3 ) e yOi,,. 

For simplicity, FOi denotes the FO function of i-th round. 

The FI function uses two S-boxes £7 and Sg which are permutations of 7-bit to 7-bit and 
9-bit to 9-bit respectively. Suppose the inputs of the j-th FI function of the i-th round are 
Xlij, Klij and the output is Yl^j, where Xlij and Ylij are 16-bit integers. We define half 
of FI function as FI, which is a 16-bit to 16-bit permutation. The structure of FI and FI 
is depicted in Fig. 1 (c). Ylij = Fl(XIij) is defined as 

YlijlO ~ 8] = S 9 (XI hj [7 - 15]) © XI itj [0 ~ 6], 

YL~[9 ~ 15] = S 7 (XI i:j [0 ~ 6]) © YL~[0 ~ 6], 

where z\i\ ~ ^2] denotes the (i2 ~ ii)bits from the ii-th bit to Z2-th bit of z, and 0 is the 
least significant bit. The FI function is simplified as 

Ylij = FI(XI i:j , KI id ) = FI((FI(XI i:j ) © KI id ) «< 7), 

and we denote Flij as the j-th FI function of the i-th round with subkey Klij . 

Let Li\\Ri = || £j,r) || {Ri,l || Ri,r)) be the input of the i-th round, and then the round 
function is defined as 

Li = FO(FL(Li-x, KLi), KO h Kli) © Ri-i,Ri = Li-i, 

where i = 1,3, 5, 7, and when i = 2,4, 6, 8, 

Li = FL(FO(Li-i, KOi, Kli), KLi) © Ri-u Ri = U-x- 

Here, Lq, Rq, L$, Rs are the plaintext and ciphertext respectively, and Lj_i, Ri-i denote the 
left and right 32-bit halves of the i-th round input. The KASUMI cipher can be described in 
Algorithm 1. 
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Round KL iA KL i:2 KO iA 



KO ia 



KOi, 3 



KI iA Kh t2 KI it3 



3 



8 



6 



4 



2 



7 



5 



1 



«< 1 k' 3 «< 5 fc 6 «8 fe 7 «S 13 fcg fc 4 

«< 1 fc 4 «< 5 *)7«8 fc 8 <§£ 13 fcg fcg 

/t 3 «< 1 feg fe 4 «< 5 ^8 «< 8 fci «S 13 k' 7 k' 6 

/t4 «< 1 k' 6 fe 5 «< 5 fci «< 8 k 2 «S 13 fc^, fc^, 

fe B <«1 k' r fe 6 «< 5 fe 2 «< 8 fe 3 «S 13 fc^ fc£, 

fc 6 «< 1 k' s fe 7 «< 5 fej «< 8 fc 4 <§C 13 fcj fci 

fc7<Cl fci «< 5 *)4<«8 fc 5 <§£ 13 fcg k' 2 

fcs «< 1 fc 2 fci «< 5 fc B «<8 fc 6 13 fc 4 fcg 




x <^ i: x rotates left by i bits. k' i = k' i ® Ci, where the CiS are fixed constants. 



Table 2: The key schedule of KASUMI 



The key schedule of KASUMI is much simpler than the original key schedule of MISTY1 . 
The 128-bit key K is divided into eight 16-bit words: (fci, A;2, ks), i.e., K = (ki, k2, k^, k^, k§, 
kQ,ki,ks)- In each round, eight key words are used to compute the round subkeys, which 
are made up of three parts KLi, KOi and Kli. Here, KL, t = (KL^i, KLi^), KOi = 
(KOi^i, KOi^, KOifl) and Kli = (KI^i, KI^, KI^). We summarize the details of the key 
schedule of KASUMI in Tab. 2. 

2.2 Zero-correlation cryptanalysis 

In this section, we briefly recall the basic concepts of zero-correlation linear cryptanalysis 
based on [1], [2] and [3]. Linear cryptanalysis is based on linear approximations determined 
by input mask a and output mask (3. A linear approximation a — > f3 of a vectorial function 
/ has a correlation denoted by 



where we denote the scalar product of binary vectors by 

In zero-correlation linear cryptanalysis, the distinguisher uses linear approximations with 
zero correlation for all keys while the classical linear cryptanalysis utilizes linear approxima- 
tions with correlation as far from zero as possible. Bogdanov et al. [3] proposed a multidi- 
mensional zero-correlation linear distinguisher using / zero-correlation linear approximations 
and requiring 0(2 n /^fl) known plaintexts, where n is the block size of a cipher. 

We treat the zero-correlation linear approximations available as a linear space spanned 
by m base zero-correlation linear approximations such that all / = 2m — 1 non-zero linear 
combinations of them have zero correlation. For each of the 2 m data values z £ F™, the 
attacker initializes a counter V[z], z = 0, 1, 2m — 1 to value zero. Then, for each distinct 
plaintext, the attacker computes the corresponding data value in by evaluating the m 
basis linear approximations and increments the counter V[z] of this data value by one. Then 



C(P ■ f(x),a ■ x) = 2Pr x (p ■ f(x) 0 a ■ x = 0) - 1 
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(a) K AS L" Ml general structure Cd) FL function 



Figure 1: The structure and building blocks of KASUMI 
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the attacker computes the statistic T: 

_ y (tjsj - N2~ m f 

Z^i N2- m (l - 2~ m ) ' 
i=o v ' 

The statistic T follows a <Y 2 -distribution with mean (jlq = (I — 1) 2 2 n1^ and variance cr 2 = 
2(1 - l)(fPr) for the right key guess, while for the wrong key guess, it follows a X 2 - 
distribution with mean m = I — 1 and variance o\ = 2(1 — 1). 

If we denote the probability of false positives and the probability of false negatives to 
distinguish between a wrong key and a right key as f3o and j3\ , respectively, and we consider 
the decision threshold r = ^o + ^o^i-A) = A*i — vizi-fo, then the number of known plaintexts 
N should be about 

N _ (2 n -l)(z 1 - Po +z 1 - Pl ) | 1 
V(Z-l)/2 + 

where zi-p 0 and zi-^are the respective quantiles of the standard normal distribution, See 
[3] for detail. 

3 Some Observations of KASUMI 

Let M = (ra 0 ,mi,...,m i _ 1 ), x = (x 0 , Xi, ar/_i), n M = ( n m 0 , n mi, n m ; _i), MUx = 
(mo U xo, mi U xi, m;_i U Mfli = (mo n xo, mi n xi, m/_i n xj_i) and M o x = 

(moxo, mixi, m/_ix/_i). We describe some observations on the FL functions, which are 
used in our cryptanalysis of KASUMI. 

Observation 1. Let M be a l-bit value and h\(x) = M U x, ^(x) = M n x. Then C(f3 ■ 
hi(x),a ■ x) 7^ 0 if and only if a = n M o f3 and C(/3 ■ h-2(x), a ■ x) / 0 i/ and onZy if a = Mo f3, 
see Figure 2 (a)(b). 

We only consider the function h\(x). For any i € (0, Z — 1), if m« = 0, then the input 
mask a,i is the same with the output mask ft. If m; = 1, then aj = 0, no matter what the 
value ft takes. The following result can be deduced from Observation 1. 

Observation 2. If the output mask of FL function is (a, a'), where a'[i] = a[i — l]~ l KL2[i], 
i = 1,2,.../ — 1, anda'[0] = a[l]~ 1 KL2[l], that is, a' = (a <^ l)oKL2, then the input mask of 
FL function is (a, 0), see Figure 2(c). 

Base on Observation 2 and the structure of round functiom of the KASUMI block cipher, 
we have the following two results. 

Observation 3. If the input mask of FLq function is (a, a'), where a' = (a ^o^KLq^, 
then the input masks of FOqj and FOq^ function only depend on the 64-bit subkey k±, k±, 
&5 and /C3, see Figure 3. 
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a-Oi Sj) 
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a. = ra -a 



■u 



1 



■u- 



(a) (b) (c) 

Figure 2: Property of OR, AND and FL function 

Observation 4. Let (a, a') be the output mask of FL2 and FLg functions, where a[i — 1] = 0 ; 
ifKL 2 , 2 [i] © KL 8 , 2 [i] = 1, i = 1,2, ..J - 1 and a[l] = 0, if KL 2j2 [0] ©-KX 8i2 [0] = 1, and Zet 
a' = (a <^?C l)o~'i ; CL2 i 2 <> ~'-^'-^8,2; then the output mask of FI 2 £ and Flg^ be zero, and the 
input masks of FO2.1, F0 2 ^ r , FOsj and FOg, r functions depend on the 96-bit subkey k%, ke, 
k-j, k§, ki and k±, see Figure 4- 



4 Key-recovery attack on the 6 Rounds of KASUMI 

The generic 5-round zero-correlation linear approximations of Feistel structure was introduced 
by Bogdanov and Rijmen in [1], which is: (a, 0) 5 -2? n (a, 0), where a is a 32-bit non-zero 
value. Combined with the Feistel structure of the round function, some special values of input 
mask a are selected to attack the 6-round version of KASUMI. We mount the 5-round zero- 
correlation linear approximations from round 1 to round 5, and extend one round backward. 
We select the 5-round zero-correlation linear approximations as: 

/ II ' n\ 5-Round / 11 / n s 

(a\\a , U) {a\\a , UJ, 

where a is 16-bit non-zero value and a' = (a 1)o^KLq^ 2 . The choice is to minimize the 
key words guessing during the attack on 6 rounds of KASUMI. Based on observations 3, we 
know that, if the input mask of the first round is selected as above, FIq^ and FOq^ are n °t 
involved in the computation, which can help us to reduce the complexity of the attack. The 
zero-correlation linear attack on the 6-round variant of KASUMI is demonstrated as follows, 
see also Fig. 3. 

In our attack, we guess the subkey and evaluate the linear approximation (a, a') T ■ {(Lqj, Lq^ 
) © (R 5 ,iiR5,r)) = 0, that is 



(a,a')iL 0 ,ieL 6> i,Lo ir ®Le,r)®a-(FI(L 5! i®(ki «S h),k' 4 )®L^ r ®FI(L^ r ®{k 5 «S 8), k' 3 )) = 0, 
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5-Round zero-correlation linear apprnffi mat ions 




Figure 3: Multidimensional Zero-correlation attack on 6-round KASUMI 

where a' = (a 1) o ^k' 8 . Then the key-recovery attack on 6-round KASUMI is proceeded 
with partial-sum technique as follows. 

1. Allocate a counter vector V[L 5) i\L^ yT \L^ iT © R^ i © L 0 ,i|-^5,r © -^o,r] of size 64 where each 
element is 8-bit length and initialize to zero. In this step, about 2 64 plaintext-ciphertext pairs 
are divided into 2 64 different state. The expected pairs for each state is around one. So the 
assumption V as a 8- bit counter is sufficient. 

2. Guess all possible values of 16 subkey bits k' 2 - 

3. For N plaintext-ciphertext pairs, extract the 48-bit value 

i = {L5,l\L5 >r \X 1 ) 

where X 1 = Lc or © L§i © L 0i ; © (^(~ 1 k' 2 o (Le,r © ^0,r)) ^> lj and increment the counter Xi 
according to the value of i. 

4. Guess all possible values of 32 master key bits k^ and k\, partially encrypt L5.2 to 
get YIq^. Let X 2 = X 1 © YIq^. Add one to the corresponding i = {L^^\X 2 ). The time 
complexity of Step 4 is no more than 

2 16 x 2 32 x 2 48 x 1 x 

e 6-round encryptions. 

5. Guess all possible values of 32 master key bits k§ and k%, partially encrypt L^ )T to get 
YIq^- Let X 5 = X 2 © YIq^- Add one to the corresponding % = (X 3 ). The time complexity 
of Step 5 is no more than 2 16 x 2 32 x 2 32 x 2 32 x i x g 6-round encryptions. 

6. After Step 5, 80 master key bits have been guessed and the parity of a ■ X 3 could be 
evaluated for all zero-correlation linear approximations. 

7. Allocate a counter vector V[z] of size 2 16 where each element is 64-bit length for 16-bit 
z (z is the concatenation of evaluations of 16 basis zero-correlation masks). 

8. For 2 16 values of X, evaluate all basis zero-correlation masks on X and put the evalu- 
ations to the vector z, then add the corresponding V[z] : V[z]+ = V[X]. 

9. Compute T = N2 16 Yll^ 1 (jy ~ 2tb")> '^T < t ,then the guessed key is a possible key 
candidate. As there are 48 master key bits that we havent guessed, we do exhaustive search 
for all keys conforming to this possible key candidate. 
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Step 


Guess 


Computed States 


Counter-Size 


1 


k 2 




48 


2 




x\ = {L,AX 2 ) 


32 


3 




X* = (X 3 ) 


16 



Table 3: Partial decryption on 6-Round KASUMI 



In this attack, we set the type-I error probability /3q = 2 2,7 and the type-II error proba- 
bility Pi = 2~ 82 . We have z x _p 0 « 1, z^ Pl « 10, n = 64, I = 2 16 - 1. The date complex N 
is about 2 59,4 and the decision threshold r ~ 2 15 9 . 

There are 80-bit master key value guessed during the encryption phase, and only the 
right key candidates survive in the wrong key filtration. The complexity of Step 3 is no 
more than N2 16 6-round KASUMI encryptions and the complexity of Step 5 is about 2 107 - 8 
6-round KASUMI encryptions which is also the dominant part of our attack. In total, the 
data complexity is about 2 59 ' 4 known plaintexts, the time complexity is about 2 107 ' 8 6-round 
KASUMI encryptions and the memory requirement are 2 64 8-bit for counters. 

5 Key-recovery attack on the last 7 round KASUMI 

In this section, we describe our attacks on the last 7 round of KASUMI. We mount the 5- 
round zero-correlation linear approximations from round 3 to round 7, and extend one round 
forward and backward respectively. We assume that the subkeys k' 2 and k' 4 have the same 
value at least 8 bit positions among the 16 bits positions, then based on Observation 4, we 
know there are a least 2 8 input masks and It is easy to know that more than half of the 
master keys space has this property. In the attack, we also select some special input masks 
to reduce number of guessed key bits. 

In our attack, we guess the subkey and evaluate the linear approximation (a, a') T ■ ((-^2,/, -^2,r) 
®(R7,i,R7,r)) = 0, that is 

(a, a') • ((R 1:h R 1: r) © (L 8> ,, L 8 , r )) © a • (FI{L U © (fc 3 « 5), k' 6 ) © L hr © FI(L hr © k' 5 , 

k 7 <m:8)e fi(l 7>1 © (fa <m: 5), k' A ) © L 7 ,r © Fi(L 7tr © (fc 5 «s 8), k' 3 )) = o, 

where a[i - 1] = 0, if k' A [i] © k' 2 [i\ = 1, i = 1, 2, ...15 and a[15] = 0, if jfe^[0] © k' 2 [0] = 1 and we 
let a' = a» lo"'^o" 1 ^. 

Then the key-recovery attack on 7-round KASUMI is proceeded with partial-sum tech- 
nique as follows. 

1. Allocate a counter vector N[Lij\L^ r \L 7 j\L 7 ^\Rij © L 8; ; © L\^ T © L 7j \R\^ r © L 8 , r ] of 
size 96 where each element is 8-bit length and initialize to zero. 
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Figure 4: Multidimensional Zero-correlation attack on KASUMI reduced to rounds 2-8 



2. Guess all possible values of 16 master key bits k' 4 . 

3. For N plaintext-ciphertext pairs, extract the 80-bit value 

i = {L^L^L^L^R^Y 1 ) 

where Y 1 = Rij © Lg,z © L\. r © L-j^ © (j^k'^o (Ri, r © ^8,r)) ^ lj and increment the counter 
Xi according to the value of i. 

4. Guess all possible values of 48 master key bits k\, fes, k%, partially encrypt L71 and 
L 1)T to get Y0 8 j. Let Y 2 = Y 1 © Y0 8 ,i and add one to the corresponding i = (Li t i\Li tr \Y ). 
The time complexity of Step 4 is no more than N x 2 16 x 2 48 x | x \ 7-round encryptions. 

5. Guess all possible values of 16 master key bits k^, partially encrypt Ln to get YI21. 
Let Y 3 = Y 2 © Yl2,i- Add one to the corresponding i = (Li,r, Y 3 ). The time complexity of 
Step 5 is no more than 2 16 x 2 64 x 2 48 x | x ^ 7-round encryptions. 

6. Guess all possible values of 16 master key bits kf, partially encrypt Lx iT to get Yfyp- 
Let y 4 = Y 4 © KJ2 2- Add one to the corresponding i = (Y 4 ). The time complexity of Step 
5 is no more than 2 16 x 2 16 x 2 16 x 2 48 x 2 32 x | x ^ 7-round encryptions. 

7. Guess 2 15 number of A;^ under weak key condition. &2 has the same value with ^4 in at 
least 8-bit positions and we call those bit positions be active bit positions. We let the masks 
a be 0 or 1 in the first 8 active bit positions, and be 0 in others, there are 2 8 masks. 

8. Allocate a counter vector N[z] of size 2 8 where each element is 64-bit length for 8-bit 
z (z is the concatenation of evaluations of 8 basis zero-correlation masks). 

9. For 2 16 values of Y 4 , evaluate 8 basis zero-correlation masks on Y 4 and put the 
evaluations to the vector z, then add the corresponding N[z] : A^[z]+ = A^fY 4 ]. 
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10. Compute T = N2 8 Y^ z =o(^ ~ ^ T < t ,then the guessed key is a possible key 
candidate. As there are 48 master key bits that we havent guessed, we do exhaustive search 
for all keys conforming to this possible key candidate. 

In this attack, we set the type-I error probability /3q = 2~ 2 ' 7 and the type-II error proba- 
bility ft = 2~ 10 . We have z\-fc « 1, « 3.09, n = 64, / = 2 s - 1. The date complex TV 
is about 2 62,1 and the decision threshold r ~ 2 7 6 . 

There are 2 111 master key value guessed during the encryption and decryption phase, and 
2 111 • 2~ 10 = 2 101 key candidates survive in the wrong key filtration. Step 10 needs about 
2 i28 . 2 -io = 2 118 7-round KASUMI encryption. The complexity of the dominant Step 5, 
6, 7 is about 2 12361 , 2 123,61 7-round KASUMI encryptions and 2 127 memory accesses. If we 
assume that one time of memory accesses is equivalent to one FI function operator, then, the 
total complexity is about 2 125 ' 2 7-round KASUMI encryptions with 2 62 1 known plaintexts. 

6 Conclusion 

In this paper, we evaluate the security of KASUMI with respect to the novel technique of 
multidimensional zero-correlation cryptanalysis. We refine the zero-correlation linear approx- 
imations by selecting some special input masks. Besides, we give some observations on the 
FL function with some special input masks, with which we give the first multidimensional 
zero-correlation attack on the 6 round and the last 7 round of KASUMI block cipher. The 
two attacks need 2 107 - 8 encryptions with 2 59 - 4 chosen plaintexts and 2 125 - 2 encryptions with 
262.1 known plaintexts, respectively. 
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